b'December 6, 2000\nAudit Report No. 00-049\n\n\nComputer Virus Protection Program\n\x0cFederal Deposit Insurance Corporation                                                           Office of Audits\nWashington, D.C. 20434                                                              Office of Inspector General\n\n\n\n\n   DATE:               December 6, 2000\n\n   TO:                 John F. Bovenzi, Chief Operating Officer\n\n                       Donald C. Demitros, Chief Information Officer and Director\n                       Division of Information Resources Management\n\n\n\n   FROM:               David H. Loewenstein\n                       Assistant Inspector General\n\n   SUBJECT:            FDIC\'s Computer Virus Protection Program\n                       (Audit Report No. 00-049)\n\n\n   The Office of Inspector General (OIG) has completed an audit of the Federal Deposit Insurance\n   Corporation\xe2\x80\x99s (FDIC) Computer Virus Protection Program (CVPP). This audit was performed to\n   assess the Corporation\'s ability to identify, contain, and clean computer viruses.\n\n\n   BACKGROUND\n\n   The Division of Information Resources Management\'s (DIRM) Information Security Staff (ISS)\n   reported 45,000 FDIC computer virus incidents during the first three quarters of 1999. A computer\n   virus is a specially designed computer program that has the ability to replicate itself and modify\n   other programs. This program may contain malicious instructions that disrupt a computer\'s proper\n   operation or destroy programs and other data stored in a computer. The FDIC defines a computer\n   virus incident as each occurrence of a virus being detected by FDIC computer virus protection\n   software (CVPS). Computer viruses normally target the most popular or commonly used systems to\n   achieve the greatest disruption.\n\n   The economic impact of computer virus contamination is determined by considering the expense of\n   eliminating the virus and restoring the infected computer to its pre-contaminated state. This expense\n   also includes, in terms of time, lost productivity and potential loss of data. If computer virus\n   contamination is left unchecked, the extent of this expense may be significant. For example, an\n   August 1999 computer security publication reported that, "Computer virus attacks have cost\n                                     1\n   businesses $7.6 billion in 1999." Another possible impact of computer virus contamination,\n   although less direct than the economic one, is the FDIC\'s loss of public trust due to perceived\n   weaknesses in its computer virus protection capabilities.\n\n\n   1\n       Securitysense, Volume 2, No.10, August 1999, Page 1.\n\x0cThe FDIC CVPP started on April 9, 1991 with the issuance of the CVPP Directive, Circular 1360.2.\nAt that time the CVPP focused on minimizing computer virus contamination of employee desktop\nmicrocomputers introduced through diskettes and spread through file-sharing using segregated FDIC\nlocal area networks. Over the past 9 years, the CVPP has grown in complexity to keep pace with the\nrapid advancement of information technology and its deployment within the FDIC. The CVPP\nDirective, Circular 1360.2, has been updated twice, in1996 and in 1997, to enhance its effectiveness\nand adapt it to changing conditions.\n\nThe expanded program now addresses computer virus contamination originating through electronic\nmail and data transfers originating over the Internet, the FDIC Intranet, and, to a lesser extent,\nthrough diskettes and compact disks. At our audit\'s commencement, the FDIC used several\ncomputer virus protection software products to safeguard the FDIC\'s technical infrastructure that\nconsisted of 14,635 computers, including 438 network servers, 10,210 desktop computers, and\n3,987 laptop microcomputers. Network servers, desktop computers, and laptop microcomputers\nsupport communication functions and system-user office work. The FDIC\'s CVPP also addresses\nnetwork access by FDIC employees and contractors conducting official business at external\nlocations after normal operating hours.\n\nStaffing to support the FDIC\'s CVPP is comprised of DIRM ISS, the DIRM Helpdesk, DIRM\nsystem administrators, and, to a lesser extent, appointed information security officers (ISO) from\neach of the FDIC\'s divisions and offices. With the exception of DIRM ISS, staff support for virus\nprotection is provided on an as-needed basis and is usually part-time. DIRM ISS has assigned two\nemployees full-time, one employee part-time, and six contractors part-time to support the CVPP.\n\nIn addition to staff support, the primary CVPP component used to safeguard FDIC computer\nresources from virus contamination is the software. CVPS are commercially available products\ndesigned to detect and eradicate viruses and notify responsible parties about the detection and\neradication incident. At the commencement of our audit, the FDIC used several CVPS products,\nincluding VirusScan, Webshield and Netshield by Network Associates; Inoculin by Computer\nAssociates; Norton Anti-Virus by Symantec; and F-Secure by F-Secure Corporation.\n\nDIRM\'s ISS Director has identified computer virus prevention as the highest priority within the\nCorporation\'s IT security program. Prior to the audit\'s commencement, he established a Computer\nSecurity Incident Response Team (CSIRT) to provide more timely response to computer virus\nemergencies.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objective of the audit was to determine the effectiveness and efficiency of the FDIC\'s CVPP.\nTo accomplish this objective, we interviewed DIRM ISS, Helpdesk, and Local Area Network\n(LAN) management personnel. We also interviewed ISOs from the Legal Division, Chairman\'s\nOffice, Division of Supervision, Division of Finance, Division of Administration, and the Division\nof Resolutions and Receiverships. Additionally, we researched CVPP best practices and reviewed\n                                                 2\n\x0cFDIC CVPP policies, standards, and procedures. Furthermore, we assisted DIRM\'s ISS Director in\nidentifying solutions to improve FDIC\'s CVPP program. Solutions arrived at during the audit\nincluded DIRM\'s implementing real-time virus protection for FDIC NT servers and increasing the\nfrequency of CVPS signature file updates for the FDIC\'s laptop computers.\n\nOur audit focused on the FDIC CVPP\'s capability to prevent, detect, and eradicate computer virus\ncontamination. During our audit, we judgmentally sampled 52 FDIC computers in the Washington,\nD.C., area to assess whether CVPS was functioning in accordance with management\'s intentions.\nOur sample consisted of 19 desktop computers, 14 network servers and 19 laptop computers drawn\nfrom a Washington, D.C., area population of 5,227 desktop computers, 236 network servers and\n769 laptop microcomputers.\n\nTo accomplish sample testing, we employed computer virus simulators that would cause CVPS to\ntrigger an alert without putting FDIC computer resources at risk of viral contamination. We also\nverified whether FDIC computers that were susceptible to computer virus contamination indeed had\nCVPS protection. Furthermore, we determined whether the FDIC CSIRT responded to computer\nvirus emergencies in a timely manner. The audit was performed between November 1999 and\nAugust 2000 in accordance with generally accepted government auditing standards.\n\n\nRESULTS OF AUDIT\n\nWe concluded that the FDIC CVPP was generally effective in minimizing the exposure from\ncomputer virus contamination. However, we identified possible improvements to further reduce the\nprobability of computer virus contamination within the Corporation. Specifically, we identified\nseveral mission critical and operationally significant computers that were not afforded protection by\nCVPS and other instances where CVPS was not fully utilized. We also noted that CVPS\nmaintenance could be strengthened and that the CVPP policies, standards, and procedures needed to\nbe updated and expanded to reflect current risks and operations. We communicated this\ninformation to DIRM\'s ISS Director during our audit. DIRM\'s ISS Director initiated corrective\naction during audit fieldwork to address some of these issues.\n\nThe effectiveness of the FDIC\'s CVPP was demonstrated during the global attack of the \xe2\x80\x9cI Love\nYou" computer virus. The actions taken by DIRM\xe2\x80\x99s ISS to protect corporate assets minimized the\nimpact of the attack. Specifically, DIRM ISS was able to develop and institute firewall filters\nattuned to viral characteristics provided by the CSIRT. This special filter prevented the virus from\nreaching FDIC computer resources. Because of the early warning provided by the CSIRT, the FDIC\nfared better than many other federal agencies. For example, the Social Security Administration\nrequired 5 days to become fully functional and completely remove the virus from its systems.\nAdditionally, the Department of Labor\xe2\x80\x99s recovery required over 1,600 employee and 1,200\ncontractor hours.\n\n\n\n\n                                                 3\n\x0cCOMPUTER VIRUS PROTECTION PROGRAM WOULD BENEFIT FROM A\nTHOROUGH RISK ASSESSMENT\n\nThe absence of a thorough risk assessment to guide refinement of the CVPP resulted in protection\nthat was not always fully effective. CVPS was not resident on some susceptible FDIC systems and\nwas not fully employed on others. For those systems without CVPS, stringent software\n                            2\nconfiguration management was not in place to serve as a compensating protection mechanism.\nSystem users could disable CVPS without DIRM ISS notification and did not always use power-up\n           3\npasswords to safeguard their desktop and laptop computers. Furthermore, an advanced CVPS\ndetection feature, heuristics analysis, was not being used to guard against newer, more sophisticated\nviruses.\n\nAlthough DIRM\'s ISS Director informally evaluated the vulnerabilities to the FDIC\'s IT resources\nwhen he joined the Corporation in January 1999, a formal, documented risk assessment of the\nFDIC CVPP had not been performed. Assessing risk is a prudent prerequisite to implementing\neffective computer virus protection techniques. The Office of Management and Budget Circular A-\n130: Management of Federal Information Resources, and the U.S. General Accounting Office\'s\nFederal Information System Controls Audit Manual (FISCAM), both require periodic risk\nassessments as part of an effective information resources management program.\n\nDuring the period of April 1991 to December 1998, the FDIC CVPP evolved, according to DIRM\nISS, based upon specific virus incidents that faced the Corporation. The FDIC addressed the threat\nfrom computer viruses, but its approach was characterized as more reactive than proactive. Since\nits inception in April 1991, the FDIC CVPP has been supported by one primary directive, Circular\n1360.2, FDIC Computer Virus Protection Program. The directive has been updated twice in an\neffort to ensure its consistency with existing practices. Although procedures for the FDIC\xe2\x80\x99s virus\nprotection program were developed and updated, DIRM ISS had not developed a formal strategic\nplan or a risk assessment to support the CVPP program before 1999. In light of these\ncircumstances, the new DIRM ISS Director performed a preliminary vulnerability assessment\nduring the second quarter of 1999. A formal strategic plan to support the CVPP was then officially\nestablished in October 1999.\n\nAs a consequence of not performing a thorough risk assessment, some FDIC computers were not\nafforded the protection of computer virus protection software. Specifically, we noted that Sun\nSolaris, IBM Mainframe, Lucent Private Branch Exchanges, and Cisco Routers and Switches were\nnot afforded virus protection software. Most of these computers either make use of a version of the\nUnix operating system (or an operating system with a Unix component) or transfer information to\nor from a computer with a Unix operating system derivative. These computers are involved in\nvarying degrees of internal and external data communication activity and support mission critical\nFDIC systems. The Unix operating system\'s susceptibility to computer virus contamination was\n\n2\n    A process whereby computer programs are tightly controlled to detect and record all changes.\n3\n    Power-up passwords are the primary security mechanism for preventing local access to a computer\'s hard disk drive.\n\n                                                             4\n\x0cfirst recognized in 1989 by computer virus researchers.\n\nWhile stringent software configuration management can provide a compensating control to the\nabsence of CVPS, this practice was not consistently used within the FDIC. However, the absence\nof stringent software configuration management has been addressed in the OIG\'s recent audit report\nentitled FDIC\'s IT Configuration Management Program (Report Number 00-038) and will not be\naddressed further within this audit report.\n\nWhile we noted that the FDIC\'s Windows NT network servers were equipped with CVPS, we\nfound that the virus protection software was not fully utilized. Specifically, these network servers\ndid not use resident computer virus protection software in a real-time mode. Rather, such software\n                          4\nwas run in a batch mode, usually overnight. According to DIRM LAN management personnel, NT\nserver virus-protection software was not used in a real-time mode due to network performance\nproblems.\n\nWhile desktop and laptop systems have real-time virus detection capabilities through another\nCVPS, the FDIC user community can easily disable this computer virus protection software without\nautomatic notification to DIRM ISS by the subject computer. FDIC\xe2\x80\x99s exposure, due to users\xe2\x80\x99\nability to disable virus protection software without automatic notification, is increased if individuals\nother than the intended user can access the desktop. Power-up passwords are the primary security\nmechanism for preventing local access to a computer\'s hard disk drive. Audit testing of 38 desktop\nand laptop computers revealed that system users had not used power-up passwords to restrict access\non any of the computers.\n\nFDIC\'s CVPP Directive, Circular 1360.2 requires that power-up passwords be used. Power-up\npasswords can prevent unauthorized computer access and the introduction of computer viruses by\nthird parties. Access to the hard drive permits access to all FDIC software and data contained on it.\nHowever, DIRM ISS\'s planned implementation of cryptography with smart-card technology\nprovides a compensating control to alleviate the need for power-up passwords. Accordingly, no\nrecommendation regarding power-up password use will be made in this report.\n\nIn addition to users being able to circumvent desktop and laptop real-time CVPS, the FDIC had not\nimplemented the heuristic analysis feature available within its CVPS. Heuristic analysis is a state-\nof-the-art anti-virus technique that can detect new viruses before they have the chance to\ncontaminate a computer. Specifically, heuristic analysis involves identifying destructive program\ncode before the code is executed. Heuristic analysis is the primary method to detect both new and\n              5\npolymorphic computer viruses, such as those that recently contaminated worldwide computer\nnetworks.\n\nWe brought these issues to DIRM\xe2\x80\x99s attention during the course of our audit. In response to some of\nthese issues, DIRM\'s ISS Director initiated corrective action during the process of fieldwork.\n\n4\n    A program is resident but dormant on a computer and requires manual intervention to execute.\n5\n    A computer virus that modifies itself each time it replicates to avoid detection by CVPS.\n                                                            5\n\x0cSpecifically, he budgeted for Unix computer virus protection software and plans to employ an\nexternal computer virus expert to perform a CVPP risk assessment. In addition, he has initiated\nresearch to identify computer virus protection program software that can be used on FDIC NT\nservers in a real-time mode. Furthermore, he has activated the heuristic analysis feature contained\nin CVPS. DIRM officials also advised that other IT initiatives limit their current ability to restrict\nusers from disabling virus protection software, but that future planned activities would address this\nissue. The DIRM officials also agreed to continue to research interim options for restricting users\xe2\x80\x99\nability to disable virus software. Management\xe2\x80\x99s actions and plans to address these issues have and\nwill provide benefits to the Corporation. Because some of DIRM\xe2\x80\x99s planned actions are not yet\ncomplete and because virus protection activities are dynamic in nature, except as noted, we are\nincluding recommendations for each of the issues discussed in this section.\n\n\nRecommendations\n\nWe recommend that the Chief Information Officer and Director, DIRM, ensure that:\n\n(1) A formal and thorough risk assessment of the FDIC CVPP is conducted and the results used\n    as the basis for future enhancements to computer virus protection within the Corporation.\n\n(2) Virus protection software is acquired and implemented for mission critical or operationally\n    significant Unix-based computers within the Corporation, such as Sun Solaris and Oracle .\n\n(3) Computer virus protection software for Windows NT servers be improved or replaced to\n    provide real-time coverage.\n\n(4) DIRM ISS continues to research methods of preventing the user community\'s capability to\n    disable virus protection software used on FDIC desktop workstations and laptop computers\n    without DIRM ISS notification. Once an optimal method is identified, DIRM ISS should\n    implement it on a timely basis.\n\n(5) Available heuristic analysis features of computer virus protection software used by the FDIC\n    is activated.\n\n\nCOMPUTER VIRUS PROTECTION SOFTWARE MAINTENANCE NEEDS\nIMPROVEMENT\n                                    6\nCVPS signature file updates were not performed at least weekly to minimize the risk of viral\ncontamination. In addition, complete documentation supporting testing of CVPS upgrades, testing\nof signature-file updates, and management approval of CVPS configuration settings was not\nestablished and retained. Also, sufficient numbers of qualified DIRM ISS staff may not exist to\n\n6\n    The process of adding new virus characteristics to the existing, applicable database within CVPS.\n                                                             6\n\x0ceffectively handle the CVPP workload and FDIC laptop computer users are not accessing the FDIC\nnetwork frequently enough to receive the latest CVPS signature-file updates. Furthermore, the\nCVPS alert generation function did not always work as intended by management and generated\nalerts were not consistently received by the CSIRT or captured in weekly statistical reports to\nmanagement.\n\nAt the audit\xe2\x80\x99s inception, FDIC desktop and laptop CVPS non-emergency signature-file updates\noccurred on a monthly basis. Although more frequent updates were observed for network-\nconnected desktop computers in response to viral emergencies, testing of signature file updates was\nlimited to re-verifying the detection of three viruses recently encountered at the FDIC.\nAdditionally, the DIRM ISS Director indicated that all CVPS signature file updating for laptop\ncomputers was often less frequent due to extended periods of disconnection from the FDIC\nnetworks. We also noted that test documentation supporting CVPS upgrades and signature-file\nupdates was incomplete in terms of test purpose, methods, and results. Finally, we noted a lack of\n                                                                              7\nevidence supporting management approval of CVPS configuration settings.\n\nDue to the proliferation of computer viruses and the volume of new virus activity, signature file\nupdates should be applied to FDIC computers as soon as they are made available by the CVPS\nvendor. For example, the 1999 FDIC National Information Security Officer Conference reported\nthat at least 10 new viruses are created per day. Testing of virus signature file updates should be\nsufficient to ensure CVPS continued and proper operation. Furthermore, such testing should\nensure that files, updated to detect available new virus signatures, correctly detect the new viruses.\n\nComplete documentation should be established and retained to substantiate the test\'s purpose,\nmethods, and results. Evidence of management review and approval of CVPS configuration\nsettings should be retained to provide an official record substantiating that settings conform to\nmanagement\'s intentions and to facilitate accountability over their specification.\n\nMonthly virus signature file update frequency, limited signature file update testing, incomplete\nCVPS test documentation, and undocumented CVPS configuration-setting management approval\nare the result of shifting operational priorities. Such shifting priorities are driven by DIRM ISS\'s\nextremely heavy workload. Additionally, some laptop users do not consistently access the FDIC\nnetwork frequently enough to facilitate receipt of CVPS signature file updates. For example, the\nunique nature of Division of Supervision field operations makes frequent access to FDIC networks\ninconvenient.\n\n As a result of the cited conditions, new computer viruses may not be detected and eradicated by\nexisting CVPS, and the CVPS itself may not function as represented by the vendor. In addition,\nCVPS operation and testing may not conform to management\'s intentions, all of which may permit\nviral contamination of FDIC computer resources. Examples of these effects are illustrated by our\n                                     8\naudit test results. First, the method used to invoke CVPS on desktop computers influenced\n\n\n7\n    Specified operating parameters that govern how the software will function.\n8\n    CVPS can be invoked by either scanning a file or by attempting to use (read, write, delete) a file.\n                                                               7\n\x0cwhether an alert message was sent to the CSIRT in response to a detected virus. Second, on 13 of\n19 desktop computers and 13 of 14 network servers evaluated, CSIRT did not receive simulated\nvirus alerts and accordingly, did not respond to them. Third, viral alerts generated from detected\nexternal-electronic-mail-message viruses were not sent to the message originator. Fourth, with 13\nof 19 desktop computers, 13 of 14 network servers, and all external email tested, generated virus\nalerts were not captured in weekly virus statistical reports used by the DIRM ISS Director to\nmeasure the effectiveness of the CVPP. The details of these test exceptions were communicated to\nDIRM ISS during the audit.\n\nWe brought these issues to the attention of DIRM\xe2\x80\x99s ISS Director during the course of our audit. In\nresponse to some of the conditions cited, the DIRM ISS Director initiated a research effort early in\nthe audit to identify and implement an automated method for enforcing the timely receipt of\nsignature file updates by laptop computer users. He also instituted weekly, as opposed to monthly,\nCVPS signature file updates. Management\xe2\x80\x99s actions and plans to address these issues have and will\nprovide benefits to the Corporation. Because some of DIRM\xe2\x80\x99s planned actions are not yet complete\nand because virus protection activities are dynamic in nature, we are including recommendations\nfor each of the issues discussed in this section.\n\n\nRecommendations\n\nWe recommend that the Director, DIRM, ensure that:\n\n(6) CVPS signature-file updates be performed as frequently as possible, preferably weekly, to\n    minimize the risk of viral contamination.\n\n(7) Complete documentation supporting the testing of CVPS upgrades and signature-file updates\n    is established and retained in accordance with FDIC record retention policy.\n\n(8) Management approval of CVPS configuration settings is established and retained in\n    accordance with FDIC record retention policy.\n\n(9) All uncleaned virus alerts generated by CVPS are consistently communicated to the CSIRT by\n    the contaminated computer for follow-up and captured in weekly statistical reports to DIRM\'s\n    ISS Director.\n\nWe further recommend that the FDIC Chief Operating Officer direct:\n\n(10) All FDIC laptop computer users to access the FDIC network, preferably weekly but at least\n     monthly, using their laptop computers to receive CVPS signature file updates.\n\n\n\n\n                                                 8\n\x0cCOMPUTER VIRUS PROTECTION PROGRAM POLICIES, STANDARDS AND\nPROCEDURES NEED TO BE EXPANDED AND UPDATED\n\nDIRM Directive 1360.2, the overarching CVPP policy that was revised on April 29, 1997, is\ncomprehensive and contains instructions for virus recovery to assist system users in minimizing\n                                                               9\ncomputer damage. We further noted that the CSIRT Procedure addressed the disposition of\nviruses detected through FDIC CVPS. However, we noted that Directive 1360.2 did not contain\ncertain information regarding computer virus prevention, detection, and eradication that, if\nincluded, would enhance it and the entire FDIC CVPP.\n\nWe found that the policy would be enhanced in terms of virus prevention if it included the\nfollowing:\n! Requirements that CVPS be used on all FDIC computers.\n! Descriptions of alternate virus protection methods, such as stringent software configuration\n    management, to be used when CVPS is not commercially available for a given FDIC computer.\n! Technical supplements describing CVPS used at the FDIC and the software features selected,\n    such as heuristics analysis, to minimize risk of contamination.\n! Directions for using the recently installed central clearing computer for the purpose of\n    inspecting and removing viruses prior to installation and execution on corporate computers.\n! Instructions on how non-FDIC organizations with access to FDIC computer resources should\n    comply with the CVPP.\n! Information addressing FDIC employee and contractor virus awareness and protection training.\n! Process descriptions on establishing and maintaining the frequency of virus signature file\n    updates.\n! Descriptions of newly developed, recurring virus protection tasks such as the firewall filtering\n    used by DIRM ISS to counteract the recent \xe2\x80\x9cI Love You\xe2\x80\x9d virus incident.\n\nWe also found that the policy would be enhanced in terms of virus detection if it included the\nfollowing:\n! Directions on using the CSIRT to perform analysis of new viruses and a description of the\n    current role of the DIRM Help Desk and the Information Security Officers (ISOs) relative to\n    their participation in the CVPP.\n! Explanations regarding the use of multiple virus scanning and viral alert methods on FDIC\n    computers.\n! Guidance on using the recently created virus incident database as a reference tool.\n\nIn addition, we found that the policy would be enhanced in terms of virus eradication if it included\nthe following:\n! Guidance on proper measures to be taken to remove computer viruses from compact disks and\n    diskettes and on measures to take for sending newly detected viruses to outside virus labs for\n    further analysis.\n! Reference to supplemental CVPP policies and procedures, such as Home Use of FDIC Anti-\n\n9\n    A recent procedure that governs how the Computer Security Incident Response Team operates.\n                                                           9\n\x0c   virus Software and CSIRT Procedures with descriptions of their intended purpose.\n\nCurrent and complete policies, standards, and procedures ensure that complex areas, such as\ncomputer virus protection, operate in accordance with management\xe2\x80\x99s intentions. In addition, such\npolicies, standards and procedures provide employees with a written reference that is especially\nhelpful for infrequently performed duties. GAO\xe2\x80\x99s FISCAM stipulates that management\nperiodically assess the appropriateness of security policies and procedures as well as compliance\nwith them.\n\nDIRM ISS has focused its human resources principally on dealing with computer virus incidents\nfacing the Corporation. As a result, maintenance of relevant directives became a secondary\nconcern. FDIC employees may not be fully aware of effective actions to employ when faced with a\ncomputer virus contamination incident. Complete policies and procedures will help ensure that\ncorporate information technology resources will not be exposed to significant risk if crucial steps\nare omitted or misunderstood. Furthermore, without the benefit of proper documentation, DIRM\nISS staff members responsible for performing anti-viral related tasks may not be able to perform\ntheir duties in a repeatable manner. This lack of regularity could result in system down-time,\nsignificantly impairing corporate operations and thereby weakening public confidence and trust in\nthe FDIC.\n\nWe brought these issues to DIRM\xe2\x80\x99s attention during the course of our audit. In response, DIRM\'s\nISS Director initiated a review of all policies and procedures related to the CVPP. Because this\nanalysis is not yet complete and because virus protection activities are dynamic in nature, we are\nincluding a recommendation to continue the review of existing policies and procedures.\n\nRecommendations\n\nWe recommend that the Chief Information Officer and Director, DIRM, ensure that:\n\n(11) DIRM ISS continues with its review of all policies and procedures currently in place\n     relative to the CVPP.\n\n(12) Upon the successful completion of the policy and procedure review, DIRM ISS develop and\n     implement security policies that depict updated CVPP operational requirements and\n     include, but are not limited to, the areas of computer virus prevention, detection, and\n     eradication described above.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn November 6, 2000, the Chief Information Officer and Director, Division of Information\nResources Management, provided a written response to the draft report. The responses are\npresented in Appendix I of this report. Subsequent to the November 6 response, DIRM provided\nadditional information regarding recommendation 10, directed to the FDIC\'s Chief Operating\n                                                10\n\x0cOfficer.\n\nBased on discussions between the Chief Operating Officer and the Chief Information Officer and\nDirector, DIRM, the FDIC agrees with recommendation 10. Currently, e-mails are issued to all\nDOS and DCA Field Offices and all Field Office Representatives every 2 weeks notifying all staff\nto update their laptop CVPS signature files. By February 15, 2001, the COO will issue a\nmemorandum to all FDIC employees requiring all laptop users to access the FDIC intranet at least\nonce a month and download the latest CVPS signature file updates to their laptops. In 2001, DIRM\nwill explore several options to enhance the ease with which laptop users can update the CVPS files.\nCurrent alternatives that are being investigated include assessing the feasibility of new software\nwhich will support \xe2\x80\x9cautomatic\xe2\x80\x9d updates of CVPS files whenever a laptop user accesses the\nnetwork.\n\nThe Corporation\xe2\x80\x99s response to the draft report provided the elements necessary for management\ndecisions on the report\xe2\x80\x99s recommendations. Therefore, no further response to this report is\nnecessary. Appendix II presents management\xe2\x80\x99s proposed action on our recommendations and\nshows that there is a management decision for each recommendation in this report.\n\n\n\n\n                                                11\n\x0c                                              CORPORATION COMMENTS                          APPENDIX I\n\nFederal Deposit Insurance Corporation\n3501 North Fairfax Dr., Arlington, VA 22226                             Division of Information Resources Management\n\n\n\n                                                           November 6, 2000\n\n\nTO:                    David H. Loewenstein\n                       Assistant Inspector General\n\n\n\nFROM:                  Donald C. Demitros, Director\n\nSUBJECT:               DIRM Management Response to the Draft OIG Report Entitled, \xe2\x80\x9cAudit of the\n                       FDIC\'s Computer Virus Protection Program\xe2\x80\x9d (Audit Number 99-906)\n\n\nThe Division of Information Resources Management (DIRM) has reviewed the subject draft audit\nreport and generally agrees with the findings and recommendations. We were especially gratified\nthat the audit found a \xe2\x80\x9cgenerally effective\xe2\x80\x9d program and recognized our efforts during the \xe2\x80\x9cI Love\nYou\xe2\x80\x9d incident. We agree that this discipline requires constant improvement and vigilance.\nResponses to each of the specific recommendations (1 through 9, 11 and 12) directed to DIRM are\nprovided below. Recommendation number 10 was directed to the Chief Operating Officer.\n\nManagement Decision:\n\nRecommendations: We recommend that the Director, DIRM, ensure that:\n\n(1) A formal and thorough risk assessment of the FDIC Computer Virus Protection Program\n    (CVPP) is conducted and the results used as the basis for future enhancements to computer\n    virus protection within the Corporation.\n\n        DIRM Response: DIRM conducted a preliminary vulnerability assessment of the CVPP\n        during the second quarter of 1999 and this OIG audit serves as an additional assessment.\n        OMB A-130 requires such an assessment for major applications and general support systems\n        but not a computer virus program. The current program has saved the Corporation millions of\n        dollars in terms of possible down time and as compared to other agencies and the private\n        sector. In accordance with its IS Strategic Plan, DIRM is implementing solutions to further\n        strengthen the virus protection program. DIRM will have a vendor independently review and\n        verify that the implemented solutions are effective in mitigating the virus risks to the\n        Corporation. DIRM currently anticipates that this will be completed by June 30, 2001, after\n        all the identified measures are put in place.\n\n(2) Virus protection software is acquired and implemented for mission critical or operationally\n    significant Unix-based computers within the Corporation, such as Sun Solaris and Oracle.\n\n        DIRM Response: The industry has not reported any Solaris or Oracle viruses in the \xe2\x80\x9cwild\xe2\x80\x9d\n\n                                                      12\n\x0c     for over a decade. The anti-virus vendor community is selling anti-virus software that\n     operates on the UNIX environment but that cannot be tested against the UNIX file systems as\n     there are no UNIX-specific viruses identified for the platform. The 2001 implementation of\n     DIRM\xe2\x80\x99s new configuration management methodologies will serve as an added precaution to\n     insure that the ten FDIC employees who are responsible for software installation and/or\n     maintenance on UNIX servers do not install software that might contain other types of viruses.\n      DIRM will evaluate any promising UNIX-specific anti-virus packages when they become\n     available in the anti-virus software community.\n\n(3) Computer virus protection software for Windows NT servers be improved or replaced to\n    provide real-time coverage.\n\n     DIRM Response: Following a Request for Information (RFI) and a formal evaluation of\n     several anti-virus software packages, DIRM has selected Trend Micro. This product will\n     provide the real-time coverage as well as the centralized reporting. Implementation is targeted\n     to begin in December of 2000.\n\n(4) DIRM ISS continues to research methods of preventing the user community\'s capability to\n    disable virus protection software used on FDIC desktop workstations and laptop computers\n    without DIRM ISS notification. Once an optimal method is identified, DIRM ISS should\n    implement it on a timely basis.\n\n     DIRM Response: In August 2000 DIRM ISS began the evaluation of Vshield 4.5 as a\n     potential means of mitigating this risk. This newer version may make it harder for the user to\n     disable the anti-virus software. DIRM ISS and the technical infrastructure staff will complete\n     this evaluation by March 31, 2001. Note that DIRM is limited in being able to control user\n     actions due to an insecure operating system (Windows 95). The pending upgrade to Windows\n     2000 may also further reduce or eliminate this vulnerability.\n\n(5) Available heuristic analysis features of computer virus protection software used by the FDIC\n    are activated.\n\n     DIRM Response: This feature was activated nationwide in August 2000 with the exception\n     of laptops, which will be completed by the end of the year.\n\n(6) CVPS signature-file updates be performed as frequently as possible, preferably weekly, to\n    minimize the risk of viral contamination.\n\n     DIRM Response: As of January 2000 DIRM is implementing weekly updates for the servers\n     and biweekly updates for the desktop. The website available for laptop users to download\n     anti-virus updates is also updated every two weeks.\n\n\n\n\n                                                13\n\x0c(7) Complete documentation supporting the testing of CVPS upgrades and signature-file updates\n    is established and retained in accordance with FDIC record retention policy.\n\n     DIRM Response: By November 15, 2000 DIRM ISS will provide complete documentation\n     supporting the testing of upgrades and signature updates.\n\n(8) Management approval of CVPS configuration settings is established and retained in\n    accordance with FDIC record retention policy.\n\n     DIRM Response: By January 15, 2001 DIRM ISS will publish management approved\n     configuration settings for the following platforms: Desktop, Laptop, Servers, and NT\n     Workstations. These settings will be published on a public folder, made available to DIRM,\n     and retained in accordance with FDIC record retention policy.\n\n(9) All uncleaned virus alerts generated by CVPS are consistently communicated to the CSIRT by\n    the contaminated computer for follow-up and captured in weekly statistical reports to DIRM\'s\n    ISS Director.\n\n     DIRM Response: DIRM is purchasing the Trend Micro anti-virus software for NT servers\n     and Exchange servers to be implemented by December 31, 2000. This software will provide\n     centralized alerts for the server. The desktop software provides alerts for uncleaned viruses\n     with the exception of a manual scan where the user invokes the anti-virus software from the\n     programs menu. When a virus is found during a manual scan the user only gets one option\n     and that is to clean the virus. However, no alert is generated. If the software cannot clean the\n     virus, it will stop the user from executing or copying the file. An attempt by the user to copy\n     or execute the file will trigger the real-time anti-virus software that will in turn trigger an alert.\n      Therefore, DIRM ISS believes that there is minimal risk to the Corporation. However, to\n     remain proactive in the timely identification of uncleaned viruses, DIRM ISS will continue to\n     work with the leading virus vendors. To that end, ISS requested in September 2000 that\n     Network Associates, Inc. (NAI) consider the enhancement of their centralized alert feature\n     during manual scans as a product enhancement. NAI agreed to consider the request.\n\nWe further recommend that the FDIC Chief Operating Officer direct:\n\n(10) All FDIC laptop computer users to access the FDIC network, preferably weekly but at least\n     monthly, using their laptop computers to receive CVPS signature file updates.\n\n     DIRM Comment: This action item was assigned to the Chief Operating Officer (COO).\n\n\n\n\n                                                   14\n\x0c(11) DIRM ISS continues with its review of all policies and procedures currently in place\n     relative to the CVPP.\n\n     DIRM Response: DIRM ISS will complete its initial review of its CVPP policies and\n     procedures by December 31, 2000.\n\n(12) Upon the successful completion of the policy and procedure review, DIRM ISS develop and\n     implement security policies that depict updated CVPP operational requirements and\n     include, but are not limited to, the areas of computer virus prevention, detection, and\n     eradication described above.\n\n     DIRM Response: DIRM ISS will continue to improve its CVPP and implement policies and\n     procedures that depict the improved CVPP. The revised version of the anti-virus directive\n     (Circular 1360.2) is anticipated to be developed and in the Corporate Directive Clearing\n     process by March 31, 2001.\n\n\nPlease address any questions to DIRM\'s Audit Liaison, Rack Campbell, on (703) 516-1422.\n\n\n\n\n                                                15\n\x0c                                                                   APPENDIX II\n\n                                         MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its semiannual\nreports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are\nnecessary. First, the response must describe for each recommendation\n\n   ! the specific corrective actions already taken, if applicable;\n   ! corrective actions to be taken together with the expected completion dates for their implementation; and\n   ! documentation that will confirm completion of corrective actions.\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any\ndisagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid. Second,\nthe OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation confirming\ncompletion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The\ninformation for management decisions is based on management\xe2\x80\x99s written responses to our report.\n\n\n\n\n                                                                         16\n\x0c                                                                                      Documentation That               Management\n Rec.                                                                Expected            Will Confirm       Monetary   Decision: Yes\nNumber      Corrective Action: Taken or Planned/Status            Completion Date        Final Action       Benefits      or No\n         DIRM will have a vendor independently review and\n                                                                                        Vendor report on\n  1      verify that implemented solutions are effective in         June 30, 2001                            None          Yes\n                                                                                          virus risks\n         mitigating the virus risks to the Corporation.\n         The 2001 implementation of DIRM\xe2\x80\x99s new\n         configuration management methodologies will serve\n         as an added precaution to ensure that the ten FDIC\n         employees who are responsible for software                                    New configuration\n                                                                                                                           Yes\n  2      installation and/or maintenance on UNIX servers do       December 31, 2001      management          None\n         not install software that might contain other types of                         methodologies\n         viruses. DIRM will evaluate any promising UNIX-\n         specific anti-virus packages when they become\n         available in the anti-virus software community.\n         Following a Request for Information (RFI) and a\n         formal evaluation of several anti-virus software                                   System\n  3      packages, DIRM has selected Trend Micro. This             December 2000        implementation       None          Yes\n         product will provide the real-time coverage as well as                           notification\n         the centralized reporting.\n         In August 2000, DIRM ISS began the evaluation of\n         Vshield 4.5 as a potential means of mitigating this\n         risk. This newer version may make it harder for the\n  4                                                                March 31, 2001      Evaluation report     None          Yes\n         user to disable the anti-virus software. DIRM ISS\n         and the technical infrastructure staff are continuing\n         with this evaluation.\n                                                                                        Computer virus\n         This feature was activated nationwide in August\n                                                                                           software\n  5      2000 with the exception of laptops, which will be        December 31, 2000                          None          Yes\n                                                                                         configuration\n         completed by the end of the year.\n                                                                                        documentation\n         As of January 2000 DIRM is implementing weekly\n         updates for the servers and biweekly updates for the                            Computer virus\n  6      desktop. The website available for laptop users to          Completed         protection program    None          Yes\n         download anti-virus updates is also updated every                               documentation\n         two weeks.\n\n\n\n                                                                           17\n\x0c                                                                                      Documentation That                  Management\n Rec.                                                                Expected            Will Confirm          Monetary   Decision: Yes\nNumber      Corrective Action: Taken or Planned/Status            Completion Date        Final Action          Benefits      or No\n         By November 15, 2000 DIRM ISS will provide                                      Computer virus\n  7      complete documentation supporting the testing of         November 15, 2000       software test         None          Yes\n         upgrades and signature updates.                                                 documentation\n         By January 15, 2001 DIRM ISS will publish\n         management approved configuration settings for the\n         following platforms: Desktop, Laptop, Servers, and                            Approved computer\n  8      NT Workstations. These settings will be published         January 15, 2001      virus software         None          Yes\n         on a public folder, made available to DIRM, and                              configuration settings\n         retained in accordance with FDIC record retention\n         policy.\n         To remain proactive in the timely identification of\n         uncleaned viruses, DIRM ISS will continue to work\n         with the leading virus vendors. To that end, ISS\n                                                                                          Letter to NAI\n         requested in September 2000 that Network\n  9                                                                  Completed             requesting           None          Yes\n         Associates, Inc. (NAI) consider the enhancement of\n                                                                                          enhancement\n         their centralized alert feature during manual scans as\n         a product enhancement. NAI agreed to consider the\n         request.\n         The COO will issue a memorandum to all FDIC\n         employees by February 15, 2001, requiring all laptop\n                                                                                       Memorandum from\n  10     users to access the FDIC intranet at least once a        February 15, 2001                             None          Yes\n                                                                                            COO\n         month and download the latest CVPS signature file\n         updates to their laptops.\n                                                                                        Notification of\n         DIRM ISS will complete its initial review of its\n                                                                                       CVPP policies and\n  11     CVPP policies and procedures by December 31,             December 31, 2000                             None          Yes\n                                                                                       procedure review\n         2000.\n                                                                                          completion\n         DIRM ISS will continue to improve its CVPP and\n         implement policies and procedures that depict the                               Revised CVPP\n  12     improved CVPP. The revised version of the anti-           March 31, 2001         policies and          None          Yes\n         virus directive (Circular 1360.2) is anticipated to be                           procedures\n         developed and in the Corporate Directive Clearing\n         process by March 31, 2001.\n\n\n                                                                           18\n\x0c'